Disallow anonymous access to Sun Directory Server

I received an email from my customer a week ago.

Even when a new instance is created, the default ACI allows anonymous to access this? Any ideas?

My reply below:

Yes, Sun Directory Server is built as-such. It behaves like a "Yellow Pages" sort-of. E.g. In a corporate directory server, anyone can search for anyone by default, with the exception of password.


This site from IBM explains better than me.

Searching a directory is similar to looking up a name in the white or yellow pages of a telephone directory. If the name of a particular individual object is not known, the directory can be searched for a list of objects that meet a certain requirement.

So we know that, by default, the Directory Server is accessible anonymously.


How can we disable this function?

Very easy. I did the following for another customer of mine in Thailand.

• Remove the following segment in 99user.ldif in the config/schema directory

dn: o=XXX aci: (target ="ldap:///o=XXX")(targetattr !="userPassword")
(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare) (userdn = "ldap:///anyone");)

Easy. But do remember to stop/start the Directory Server.


.

Oracle Directory Server in YOG

I just received a call from my counterpart in Oracle (ex-Sun) asking for my availability in AUG to support a critical Directory Services infrastructure.

I was curious and probed further... 

... and I was told that the YOG (Youth Olympic Games) that is going to be held in Singapore is using Oracle Directory Server (aka. Sun Java System Directory Server) and my service might be required.

It's my honor definitely.

However, I have a national obligation (aka Reservist) during that period of time. If time permits and the money is right, I'll try to make myself available. I'll talk to my boss in the Army. Ha. :)


.

Sun Software Product Map - Part III

If you take a good look at the list, you'll notice that OpenDS is missing.

FYI, there is a commercial version of OpenDS - Sun OpenDS Standard Edition.

From what I know, Oracle is still defining the strategy for OpenDS. Until then, we do not know what will happen to OpenDS.

A lot of development work has been poured into OpenDS. It's a total rewrite in Java from Sun Java System Directory Server. I'm keeping my fingers crossed.


By the way, Directory Service is another strength of us. So we'll be watching closely on the development of OpenDS.


.

Sun Software Product Map - Part II

Sun Java System Portal Server

Sun Java System Portal Server is completed discontinued. 

Sun Portal Server brings me very good memory. This is the very first product we deployed in Philippines when we become Sun Partner 6 years back. Subsequently, we deployed many more instances. It's selling well in Philippines. 

In Singapore, we still have a few Sun Portal Servers running. I deployed 2 instances in S'pore and am currently supporting one of them. 

Goodbye, my dear friend. 

Sun Java System Web Server

Sun Java System Web Server and Web Proxy Server have been rebranded to Oracle iPlanet Web Server and Oracle iPlanet Web Proxy Server.

Welcome back, iPlanet! History of iPlanet here.

iPlanet has come a long way ...

iPlanet ... Sun ONE ... Java Enterprise System ... Sun Java System ... iPlanet



Sun Java System Identity Manager

Sun Java System Identity Manager is now Oracle Waveset. (Waveset IdM was bought over by Sun)

Oracle is keen on pushing it's own Oracle Identity Manager. Thus there is no choice but to discard Sun Identity Manager. Sun Role Manager (bought over from Vaau), which was supposed to be integrated with Sun Identity Manager, is now rebranded as Oracle Identity Analytics. Most likely it will be used to integrate/complement Oracle Identity Manager.

Unlike Sun Portal Server, Oracle Waveset is kept. I can only guess that we have a few local banks currently using it. A huge ministry has just awarded a tender and the key component is Oracle Waveset.

In the Asia region, a few Thai banks are also customers of Oracle Waveset to my knowledge.


.

Sun Software Product Map

The name "Sun Java Systems Communications Suite" is now history. 

Communications Suite is one of the products we are very strong in. 

I just find it weird that Sun Messaging Server has been rebranded as Oracle Communications Messaging Exchange Server.  

Do we really need that word?

PS: The full listing here.

.

Red Condor Archive

It has been a while since I last looked at Red Condor. (Read here)

Red Condor released a new product offering last October - Red Condor Archive.

A secure message archiving service that helps organizations meet compliance regulations, e-discovery support requirements, and data storage and management best practices.

Key benefits of Red Condor Archive include:
* Archiving of all inbound and outbound messages, internal and external
* Unlimited storage at no additional cost
* All data searchable at all times
* Preservation of data
* Easy to use interface
* Instant set-up
* Replication to multiple data centers
* Role-based Administration Dashboard
* Individual End User search

Read more here.


I am always curious how a company can sustain its business by providing unlimited service/storage at no additional cost.

There can only be 2 explanations:
1. My maths is poor;
2. I have not been in this business long enough



PS: Red Condor is not the only company offering unlimited storage at no additional cost.


.

One inbox for every citizen

My colleague brought me to attention a grand vision made by the Singapore Government:

ALL residents will have an online mailbox to which various Government agencies will send statements and bills from tax statements to TV license renewals and service and conservancy bills. Called OneInbox, this service will be launched by 2012.  

The Straits Times 14-Jun-2010

It is indeed very daring - imagine all the old uncles and aunties having to learn how to use computers to read emails, just in case they get penalized for late payments. :)


Joke aside, I am more curious on which software vendor will get chosen for this tender?


Will it be Microsoft for it's Exchange Server again? (Since the Singapore government is pretty pro with anything Microsoft)

Will it be IBM for it's Lotus Notes? (I doubt so as it is pretty costly)

Will it be Oracle/Sun for it's Sun Java System Messaging Server? ( SJS MS used to be relatively cheap under Sun. The pricing is slightly different now though :>  Technically wise, it is a ISP-grade software, thus making it very suitable for this deployment )

I personally do not think the Government will go for any cloud service like Goggle Gmail, Microsoft BPOS, or IBM LotusLive. I'll be surprised if one of these 3 wins the deal.

.

jQuery should be easy to implement

The social-network-driven portal based on LifeRay is still under development. (Read here and here)

LifeRay uses jQuery intensively. I was tidying up the Contact Us page yesterday. This page is a static HTML page and has nothing to do with LifeRay.

But in the pursuit for consistent look-and-feel, I decided that validation of the form and display of success/error messages should be the same as what one will experience when he logs into LifeRay portal. So jQuery is the way to go!


The Contact Us form is so simple, yet it took me a long while to make it work using jQuery.

Maybe I'm too old for new technology. Ha! :) I could not find a good example on the web of the 2 things I want to achieve. 

The 2 things are so simple, mind you. 

1. Validate fields once "Submit" button is clicked

2. If the fields are valid, perform a form submission

Difficult? 

I struggled for quite some time and finally found the solution.

The codes below should be good enough for 80% of JavaScript developers and should be able to digest and implement in 5 mins. 

1. jQuery Scripts Download

• Download the latest copy of jQuery from here. (rename the script as jquery-latest.js)
• Download the latest copy of  jQuery plugin: Validation from here. (rename the script as jquery.validate.js)

2. Insert the following script between the head HTML tags

That's it. Done!

Do you need to write special code in the form section for jQuery to kick into effect? No.

Take a look at my form. There is no reference to jQuery at all.

The following is what you will see if there is an error.

PS: The tricky part for me is how to perform a form submission. Should be form.submit(); and not $("#myForm").submit();



.

Sun Access Manager SSO and Passlogix ESSO - Part II

In his environment, my customer has Sun Access Manager and Passlogix v-GO SSO in place.

There are 3 categories of applications:

1. Client-Server Applications (Legacy mainframe applications)

2. Non-Access Manager Protected Web Applications (Off-the-shelf web applications that cannot be customized for Sun Access Manager integration)

3. Access Manager Protected Web Applications

It's a large bank and there are many back-end applications. Pretty complex to adopt 2 different technology in 1 enterprise environment. However, this is just a interim solution.

The larger picture is to slowly:

1. Convert the client-server applications to web-based applications

2. Discard off-the-shelf web applications and build own customized web-based applications

3. Standardize all SSO to utilize Sun Access Manager

If the client has SSO like Passlogix on PC, how does Access Manager interact with the client?

I think I can better explain with the following diagram:

1. In each application that is to be Access-Manager protected, a Policy Agent is deployed. This agent acts as a Director.

2. If an application is accessed for the first time, the agent detects that the user credential is missing. It will redirect the user to the Sun Access Manager Login Page.

3. Now, at this moment of time, the v-GO SSO Client that resides on the user's PC detects that a pair of User ID and Password is required for the Sun Access Manager Login Page. It attempts to inject the required information and will automatically click the Submit button on-behalf of the user.

4. Sun Access Manager, upon receiving the user credential, authenticates and issue a SSO Token back to the application.

5. The agent, upon receiving the SSO Token, acknowledges that the user credential is valid and proceed to grant access to the web application's home page.

.

Sun Access Manager SSO and Passlogix ESSO

I received an SMS from my client asking for clarification:

Just to check with you for understanding ... Sun Access Manager is for access control of web-based applications right? If the client has SSO like Passlogix on PC, how does Access Manager interact with the client?

Now, we need to understand there are 2 components - Sun Access Manager and Passlogix . They are quite similar in that they assist in Single Sign-On. However, there are some differences which we need to take note.

Firstly, we need to correct the term Passlogix. To be more precise, we are talking about Passlogix v-GO Single Sign-On. 

• Sun Access Manager can only perform Web-based Single Sign-On. Only web-based applications are suitable candidates for SSO.
  

• Passlogix v-GO Single Sign-On is a ESSO (Enterprise Single Sign-On) product. Being ESSO-enabled, it supports a wider range of applications.
  e.g. - Web-based applications
         - Windows 32-based applications
         - Host/mainframe systems
         - Applications running on Terminal Services
         - Applications running on Citrix Servers

v-GO SSO looks better, no?

• You need to install a v-GO SSO Client Agent on each and every PC. 
• If there is a patch or upgrade, you need to remember to apply on each and every PC.

There's always pros-vs-cons which every enterprise has to evaluate before deciding on the technology to adopt.


Now that we understand the differences, I'll attempt to answer my customer's question in my next blog.


.

Liferay Strange CSS UI Guideline

The social-network-driven portal which we are developing for our customer is about half-done. I'm trying to customize the look-and-feel of the LifeRay Portal Server now.

Pretty bad experience trying to customize LifeRay Portal. There is something I do not like about LifeRay - the definition of CSS styles.


The bad thing is there is a system-wide JSP file where one can define CSS styles - css.jsp. Define CSS styles in a JSP file?!!

That's not all. If you create a portlet, you can define yet another css.jsp within your portlet directory. This is getting crazy!


I have developed on a number of Portal Servers. This is the first time I see CSS styles being defined in a JSP file. This is super unclean and no clear separation of tasks.

There should be a single place where one defines CSS styles. I am not against defining styles in a JSP file (though I really find it really weird). However, if JSP file is used, there should not be any more .css file being defined.


So how did I manage to customize the LifeRay Portal then?

I have actually asked my designer to do the job. I sent him all the .css files I could find so that he can render on his Dreamweaver. However, at times, he'll be stuck. He simply could not locate some CSS styles that have been declared.

Very strange. How can that be? No choice, I need the following:

Firefox with Firebug are the best friends you can ever have. Trust me. With them, that's how I located css.jsp - the evil.


.